- Paperback: 320 pages
- Publisher: No Starch Press; 1 edition (November 26, 2011)
- Language: English
- ISBN-10: 1593273886
- ISBN-13: 978-1593273880
- Product Dimensions: 7 x 0.8 x 9.2 inches
- Shipping Weight: 1.4 pounds (View shipping rates and policies)
- Average Customer Review: 36 customer reviews
- Amazon Best Sellers Rank: #154,666 in Books (See Top 100 in Books)
Enter your mobile number or email address below and we'll send you a link to download the free Kindle App. Then you can start reading Kindle books on your smartphone, tablet, or computer - no Kindle device required.
To get the free app, enter your mobile phone number.
The Tangled Web: A Guide to Securing Modern Web Applications 1st Edition
Use the Amazon App to scan ISBNs and compare prices.
See the Best Books of 2017
Looking for something great to read? Browse our editors' picks for the best books of the year in fiction, nonfiction, mysteries, children's books, and much more.
Frequently bought together
Customers who bought this item also bought
About the Author
Michal Zalewski is an internationally recognized information security expert with a long track record of delivering cutting-edge research. He is credited with discovering hundreds of notable security vulnerabilities and frequently appears on lists of the most influential security experts. He is the author of Silence on the Wire (No Starch Press), Google's "Browser Security Handbook," and numerous important research papers.
Author interviews, book reviews, editors picks, and more. Read it now
Top customer reviews
There was a problem filtering reviews right now. Please try again later.
Make no mistake, the book is focused on the browser and related technologies rather than the theory of security. The same tremendous insight, that made me nod with appreciation and wish that I had the book 5 years ago while working on security policies, illuminates browser concepts like in-browser content separation, scripting, and much more.
I appreciate the authors treatment of each of the concepts in the context of the browser as a complex and still evolving technology, with it's own history, standards, market requirements and politics.
The Tangled Web untangles the mystery of some poor design philosophies and also discusses some of the improvements that have been made along the way. A quote from the book that sums it all up is a statement that "...the status quo reflects several rounds of hastily implemented improvements and is a complex mix of browser-specific special cases..."
I greatly enjoyed reading the book and jotted some notes down that may be useful to other readers. These were the topics that piqued my interest the most:
* SVG embedding vulnerabilities potential (eg. some initial research also published by Thorsten Holz ).
* Flash cross-domain exploitation examples and crossdomain.xml "loose" policies.
* Great coverage of "GIFAR" type issues.
* Astute observations of trade-offs in plugin attack surface versus actual benefit to users.
* XBAP security coverage.
* The excellent tables of Same-Origin-Policy violations and other tests versus different client-side contexts.
* In depth coverage of URI schemes  and potentials for abuse.
* How to resolve data sharing via new mechanisms like postMessage() API.
* Blind cookie-overwrite attacks (interesting examples).
* Very humorous localhost.cisco.com abuse example.
* Local HTML/other execution issues that break privacy segmentation.
* Interesting about:neterror security weakness example.
* New style HTML frame attacks.
* CSS object overlay click-jacking examples and impact on user experience (eg. Firefox add-on installation).
* Content sniffing and dangers such as Byte Order Marking / UTF-7; also interesting note on difference between "UTF7" and "UTF-7".
* window.createPopup() example.
* Abusing HSTS header injection for client-side DoS.
* CSP coverage.
As a final note, it was highly predictable to see slow-moving browser vendors being cited for their inability to rectify issues quickly (even those that are known), but what struck me as noteworthy was the case where Microsoft correctly challenged the CORS standard. It didn't appear that they were doing this for any political reason and in fact came up with a more technically superior solution, which the CORS team eventually drew inspiration from. That was nice for the author to throw in there and show that Microsoft still has the ability to engineer great solutions when they truly care about an initiative.
I hope other readers also enjoy the book when they pick it up...